I work with a far few ladies and gents who do bug bounties and while sitting on the beach during one of our hack on the beach sessions, I posed the question “How friggin evil is clickjacking, PoC or GTFO.” The challenge was set, and here is what we decided.
What we really need is a credit card company in 2019 that has a clickjacking vulnerability on their web portal. Thankfully, I actually have a card issued by S*************. I know they have a clickjacking vulnerability, despite informing them of it. For the ultimate challenge, I would open a link sent by each tester and if it passed the sniff test I would perform a £10 transfer transaction. Could they intercept it?
Apparently there is no risk, according to one big pentesting and bug bounty firm.
Clickjacking = get riCH quick scheme.
A bold statement. 5 seasoned penetration testers. 1 attack vector. 4 attacks that passed the sniff test and all £500 of stolen money. How?
Step 1 – The Web Server
To start with, what we needed was a visually similar domain name. A few were located and webservers sets up on them with valid SSL certificates. To make the journey really convincing, an email server was also set up to send and receive emails. This section is really important as it will carry the attack.
Step 2 – The Illusion
It is possible to just use the second and keylog the entire session, but points were added for evilness. Of course, we are not going to put in here the actual code used but it took less than two hours to get the snippets from google, so enjoy that.
The purpose of the glass pane is to separate the victim from the end site. This is very literally a man-in-the-middle attack against the user. By tracking the mouse positions and clicks, it was possible to build a database of possible positions and inclinations essentially mapping the user journey.
Now came the evil part. Whenever the user entered what looked like an account transfer, the end account number and sort code was entered as the attackers, not what the victim actually thought. Anything returned on the screen was masked by a <div> that showed what the victim would have expected to see. The amount remained the same.
With a transaction identified, they keylogger could now replay the same transaction a few times before the user logged out. Even if you use closed the browser window, it would still run until the session times out. The keylogger, in this case, reran the same transaction minus £1.50. If it succeeded, it would re-run it again, minus £1.50 and loop until the site logged out or returned an error.
3. The Delivery
Delivering the attack is really easy. Using URL shortening delivery via twitter, facebook and linkedin all work really nicely. We even managed to set up a PPC campaign on Google by copying the actual bank’s PPC campaign and using our URLs.
4. Viable Targets
Who is at risk with this attack? Well, anyone who runs a transactional site that does not implement the header security, but good targets are:
Banks and credit card companies
All retailers (takes more work but still worth it)
Considering the remediation for this takes seconds, it is shocking that still, we find sites who are vulnerable.
Peter has been in the Information Security world since 1999 and in IT in general since 1996. His work history contains a unique blended balance between the development of exceptional technical capabilities and business knowledge. Peter is a proud father of twins and enjoys GT endurance racing on the weekends.
Last week saw SB Tech Breached by the hacking group Maze. It seems that every week the group are announcing more victims. GameOn asked our CEO Peter Bassill, to give us some insight into the attack. The GameOn article is here.
In our “How to securely” series we asked our followers what tools they would like a simple guide on to help them stay secure online. There seemed to be a lot of confusion as to what a VPN is and why you should or should not use one. So we asked Peter to help.
WhatsApp is among the fastest-growing instant messengers out there, and almost a social network in its own way. But if you are using it, there are some steps you should take to protect your security and privacy.
The UK’s highest court ruled that Morrisons can not be liable for a criminal act of a person seeking to harm their business. On April 1st, 2020, a panel of five justices unanimously ruled that Morrisons was not “vicariously liable”.
With the current pandemic situation, we all need to be taking remote working considerations. While adjusting the work paradym, it is vital to keep a mind’s eye on the security and safety of the businesses information assets
In this guide we are looking at how to go about securing zoom. Since the onset of the global pandemic, we have seen surge in “zoom bombing”. This is where people with malicious intent look for in-progress zoom meetings to join and cause trouble.
A critical vulnerabiltiy has been identified in Dell EMC iDRAC7, iDRAC8 and iDRAC9. Some unknown processing is affected by this issue. Manipulation with an unknown input can lead to stack based memory corruption.
On March 27th, Hiscox Insurance Company Inc. filed a complaint against law firm Warden Grier for concealing a data breach that occurred back in 2016.
A critical vulnerability has been identified in Nginx Controller up to 3.1.x (web server,) affecting an unknown code block of the component Controller API.